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(54) Security device 

(57) A security device 16 for deterring theft of the 
equipment 10 into which it is incorporated is embedded 
in an ASIC 1 1 which controls many of the functions of 
the equipment 10. The security dey^ice periodically 
implements a challenge/response routine with a remote 
security centre 20. If the appropriate response is not 
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received, the security device 16 disat^les the ASIC 11, 
80 that the equipment 10 does not operate properly. On 
detecting theft of the equ^ment 10 the user contacts 
the security centre to hold the response when next chal- 
lenged. 
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Description 

FIELD OF THE INVENTION 

This invention relates to a security device for deter- 
ring theft of the apparatus or equipment to which it is fit- 
ted or into which it is incorporated. 

BACKCROMND TP THE INVENTION 

Various proposals exist to render stolen equipment 
inoperable and thus prevent use by the thief. Some 
automobile audio systems include a feature whereby on 
interruption of the power supply, for example due to tem- 
porary or permanent removal from the automobile, the 
audio system will not function properly until a code is 
keyed in. There also exist schemes in which an automo- 
bile is fitted with an immobiliser which is activated on 
receipt of an instruction from a remote security centre. 
Elsewhere it has been proposed to provide electronic 
goods such as televisions, video tape recorders, etc 
with a disabling unit which can be activated by a remote 
control station. 

However, these latter systems all require the 
remote control station to issue a signal instructing 
immobilisation or disablement, and so are not effective 
if the stolen equipment is taken outside the range of the 
remote station, or if communication with the remote unit 
is deliberately or othenwise broken. Furthermore, the 
security of these systems may be circumvented by the 
reasonably knowledgeable crook by by-passing the dis- 
abling unit or immobiliser. 

SUMMARY OF THE INVENTION 

We have designed a system in which the equip- 
ment to which the security device is fitted periodically 
initiates a validation routine which, to be completed suc- 
cessfully, requires a specific instruction signal from a 
security station. 

Accordingly, in one aspect, this invention provides a 
security device for use with apparatus and for allowing 
continued operation of said apparatus dependent on a 
specific Instruction signal from a security station, said 
device including signal receiving means for receiving a 
specific instruction signal from said security station and 
interrupt means responsive to said signal receiving 
means In a validation routine for inhibiting, preventing, 
or interfering with operation of said apparatus if said 
specific instruction signal is not received. 

Thus in this device. If the owner has notified the 
security station that the apparatus has been stolen, the 
security station will ensure that the appropriate instruc- 
tion is not transmitted in the next validation routine and 
so the apparatus will not function properly thereafter. 
Also, if for any reason the apparatus is not in communi- 
cation with the remote centre during a validation routine, 
it will not function properly. 



In a simple system there may be only one-way com- 
munication from the remote centre to the security 
device, to provide just the required specific instructton 
signal, with the initiation of the validation routine being 

5 effected indirectly, perhaps by the device alerting the 
owner to contact the remote station by telephone. How- 
ever it is preferred for this to be done automatically, with 
the security device including signal transmitting means 
for transmitting a challenge signal to request said secu- 

10 rrty station to transmit said specific instruction signal. 

The device preferably implements a chal- 
lenge/response routine, whereby the specific instruction 
signal issued by said security station is a specific 
response to said challenge signal, and the security 

15 device includes means for authenticating said specific 
response signal. 

TTie challenge and response signals are preferably 
encrypted on transmission and decrypted on receipt. 
The security device preferably includes secure memory 

20 means, such as a Write Once Read Many (WORM) 
memory accessible only internally by the security 
device for storing one or more keys for use in the 
encryption/decryption process. The encryption/decryp- 
tion process may be any one of several suitable types, 

25 for example public key or symmetric key systems. 

Preferably, communication between said security 
device and said security station is m a communications 
network, and said challenge signal includes data identi- 
fying the network address of said security device, 

30 whereby the security centre may determine the logical 
location of a security device, and send the response sig- 
nal to that location. 

The security device is preferably incorporated in an 
integrated circuit which in use exerts at least a major 

35 part of the control function of the equipment. As inte- 
grated circuit technology develops further, so more and 
more functionality is integrated into larger and larger 
chips, and prefen'ed embodiments take advantage of 
tills by incorporating the security device into an applica- 

40 tion specific integrated circuit (ASIC) together with cir- 
cuits representing most of tiie functionality of the 
equipment. This provides an important level of security 
as it is extremely difficult, if not virtually impossible, for 
someone to circumvent the security device, at least at 

45 economically realistic levels. 

A further point is tiiat it is highly desirable that a 
security system does not interfere with routine mainte- 
nance and repair of equipment, for example by restrict- 
ing supply of replacement chips to legitimate owners or 

50 service personnel. Thus, if the security device is 
securely embedded into tiie ASIC, ready availability of 
replacement ASICs should not significantly degrade 
security of tiie system, because by their design tiie 
replacement ASICs will also require periodic permission 

55 from the security station, to function properiy 

There are various ways of ensuring tiiat tiie security 
device checks routinely for an instruction signal from tiie 
security station. Thus, if the apparatus is connected to 
power permanently or for long periods, the device pref- 
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erably includes a timer and initiates a validation routine 
each time the timer times out. Alternatively, or in addi- 
tion, where the apparatus is operated for shorter peri- 
ods, the device may include a non volatile counter 
means which increments each time the apparatus is 5 
operated or powered up, the device initiating a valida- 
tion routine every time the counter means reaches a 
predetermined number or multiple thereof. 

Communication between the security device and 
the security station may be set up in a variety of ways. 10 
For apparatus such as a video tape recorder which is 
semi-permanently located, communications may be yja 
the plain old telephone system (POTS). For other appli- 
cations, e.g. with mobile equipment or vehicles, commu- 
nication may be yig a cellular telephone network, radio, is 
infra-red data links and so on. or combinations of these, 
and suitable communication systems will be apparent to 
those skilled in the art. 

Whilst the invention has been described above, it 
extends to any inventive combination of the features set 20 
out above or in the following description. 

BRIEF PE SCRIP TT QN OF THE P RAWINGS 

The invention nfiay be performed in various ways 25 
and, by way of example only, an embodiment thereof 
will now be described in detail, reference being made to 
the accompanying drawings, in which:- 

Figure 1 is a schematic diagram of equipment fitted 30 
with an embodiment of security device in 
accordance with this invention, and 

Figure 2 is a flow chart showing the operation of the 

security device of Figure 1 . 35 

DESCRIPTION OF THE PREFERRED EMBODIMENT 

In this example, the security device 16 is incorpo- 
rated in a video tape recorder (VTR) 10, semi-perma- 40 
nently connected to a power supply by lead 12. The 
VTR 10 follows conventional design except that most of 
the functionality of the apparatus Is integrated into an 
application specific integrated circuit (ASIC) 11. Thus 
the ASIC has a collection of functional circuit elements 45 
14 which control most of the mechanical and electrical 
functions such as tape and cassette transport, tuning, 
programming, timing, etc operations, to the extent that 
the VTR 10 has minimal resale value without a fully 
functional ASIC 1 1 . The ASIC 1 1 also includes a secu- so 
rity device 1 6 which is capable of disrupting operation of 
at least some of the functional circuit elements 1 4, if cer- 
tain security conditions are not met. to be described in 
further detail below. The disruption may take the form of 
inhibiting some or all of the responses to controls and ss 
disabling some or all outputs of the functional circuit ele- 
ments. This may be done, for example, by forcing inter- 
nal signals to a quiescent state, removal of scanning 
waveforms, forcing incoming control signals to their qui- 



escent state, forcing outputs to their quiescent sate, 
removing clock or power from certain internal circuits, or 
stopping a microprocessor from executing nomial oper- 
ations by the use of a conditional test input or interrupt 
input. These actions may be forced at various functional 
circuit elements 14 within the ASIC 11 by control sig- 
nals. ASIC conductors are usually difficult to isolate and 
it is usually difficult to make an electrical connection to 
those conductors. However, in this embodiment they 
may be buried within the volume of the ASIC 1 1 , so that 
they cannot be accessed without irreparably damaging 
other elements of the ASIC 1 1 , further to enhance secu- 
rity. 

There may be multiple conductors, each providing 
the permission signal to different functional circuit ele- 
ments 1 4, each driven by a separate buried buffer from 
within the security device, so that multiple connections 
must be made to override the 'stop' signal. Each func- 
tional circuit element may contain a communication ele- 
ment for communication wKh the security device 16. 
such that each communication element may requires a 
waveform, rather than a simple logic level, to allow oper- 
ation. Each communication element may require a dif- 
ferent waveform so that active inputs, rather than logic 
levels, are required to ovemde the 'stop' signal. Thus 
the level of complexity, and thus immunity to interfer- 
ence may be selected according to the level of per- 
ceived threat. 

Although for ease of illustration the functional circuit 
elements 14 are shown discrete from the security 
device 16, in practice the circuit elements may be inter- 
spersed, to minimize the possibility of successfully cir- 
cumventing the operation of the security device 16. as 
discussed above. 

The security device 16 has a transceiver 18, capa- 
ble of transmitting and receiving signals to and from a 
remote security centre 20, by any suitable communica- 
tion medium, here the POTS system. Although shown 
on the ASIC 11, the transceiver 18 may be separate. 
The security device 16 also includes circuitry 22 for 
implementing a challenge/response scheme based on 
cryptographic techniques, and storing the associated 
encryption data. Such encryption systems are well 
known, see for example page 357 - "Peer Entity Authen- 
tication" in "Security for Computer Networks" Davies 
and Price, John Wiley and Sons, 2nd Edition. 1989. and 
ISO 9798 "Peer Entity Authentication Mechanism Using 
An n-bit Secret Key". There are many possible chal- 
lenge/response mechanisms. They are of varying 
degrees of complexity, but the general basis is for the 
security device 16 to obtain a random number, encrypt 
it using a first key, K1 , and send it to the remote security 
centre 20. This is the challenge. The remote security 
centre 20 decrypts the challenge with the key K1. 
encrypts it with a second key. K2, and sends it back to 
the security device. This is the response. The security 
device decrypts the response with key K2 and checks 
that the decrypted number is the same as the original 
random number. This proves to the security device that 
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the message came from an entity with knowledge of the 
keys K1 and K2, presumed to be the remote security 
centre 20. The remote security centre 20 provides the 
response only if the security device 16 Is authorized to 
continue operation. Thus encryption systems such as 5 
puk)lic key, symmetric key etc. may be used. 

The security device 16 also includes power-up 
detect circuitry 24 which detects power up of the ASIC 
1 1, a timer 26 and a non-volatile counter 28. The ASIC 
1 1 contains a write once read many memory (WORM), 10 
which is preferably a fusible link device, although It 
could be an EPROM in a non-transparent package. 

The remote security centre 20 serves many units In 
an area and includes a transceiver 27 for transmitting 
and receiving signals to and from the units containing is 
the ASIC 1 1 yia the POTS system. It also includes cir- 
cuitry 30 for implementing cryptographic techniques 
and for storing the associated encryption data, and an 
operator interface 32 which allows the operator to pre- 
vent transmission of response signals to a selected unit, 20 
if that unit has been identified as stolen. 

In operation of the system, when leaving the fac- 
tory, the ASIC 1 1 is programmed with a key pair prefer- 
ably in the WORM and the associated key pair is 
registered with a central agency which runs the remote 25 
security centre 20. Referring to Figure 2. when the VTR 
10 Is turned on, the non-volatile counter 28 is incre- 
mented and the device determines whether the counter 
has reached the predetermined number or a multiple 
thereof (Steps 40, 42). 30 

If the counter 28 has reached the number or a mul- 
tiple, the device initiates a validation routine by calling 
up the remote security centre 20. issuing a challenge 
and requesting a response using the encryption and 
decryption steps refen'ed to above. Unless the remote 35 
security centre 20 has been advised that the VTR 10 
has been stolen, the centre will respond with a response 
which is then checked by the security device 16 to 
ensure that it is as expected and. if so, the device allows 
the VTR 10 to continue to operate. The timer 26 and 40 
counter 28 are then reset at step 44, and the device 
goes into a timed routine 46. 

If the VTR 10 has been disconnected from the com- 
munication medium, or the remote security centre 20 
has been alerted not to send the response, non-arrival 45 
of the response triggers the safety device 16 at step 48 
to stop normal operation of the VTR 10 using one of the 
disruption techniques described above, and to wait for 
possible manual initiation of the validation routine. 

if on detection of power up, the counter 28 does not so 
reach the preset number, then it goes into the timed rou- 
tine 46. Here the timer 26 runs until it times out, where- 
upon the security device 16 initiates the validation 
routine by calling up the remote centre 20. 

As soon as a legitimate owner becomes aware of ss 
the theft of equipment incorporating the security device 
1 6, he calls up the agency running the remote security 
centre 20 which, after appropriate checks, instructs the 
renfiote security centre not to send any response signal 



to the stolen equipment. The equipment, even if con- 
nected to the appropriate communication medium, will 
become non-functional and of minimal resale value 
when the security device is triggered t}y non-an^ival of 
the response signal. 

As a development of this system, the challenge 
issued by the security device 16 may include data rep- 
resenting the identity or location of the user, such as the 
source network address of the security device (for 
example the user's telephone number, if communica- 
tions are via the POTS). The remote security centre 20 
would then send the response back to that same net- 
work address, possibly after a delit)erate break in com- 
munication. TTiis would allow the remote security centre 
20 to monitor the logical location of the security device 
16, and possibly provide a tracking facility. 

Claims 

1. A security device for use with apparatus and for 
allowing continued operation of said apparatus 
dependent on a specific instruction signal from a 
security station, said device including signal receiv- 
ing means for receiving a specific instruction signal 
from said security station and interrupt means 
responsive to said signal receiving means in a vali- 
dation routine for inhibiting, preventing, or interfer- 
ing with operation of said apparatus if said specific 
instruction signal is not received. 

2. A security device according to Claim 1, wherein 
said security device includes signal transmitting 
means for transmitting a challenge signal, to 
request said security station to transmit said spe- 
cific instruction signal. 

3. A security device according to Claim 2, wherein in 
use sakJ security device and said security station 
communicate via a communications network, and 
said challenge signal includes data identifying the 
network address of said security device. 

4. A security device according to any preceding 
Claim, wherein said specific instruction signal from 
said security station conprises a specific response 
signal to said challenge signal, and said security 
device includes means for authenticating said spe- 
cific response signal. 

5. A security device according to Claim 4. including 
means for encrypting said challenge signal. 

6. A security device according to Claim 4 or Claim 5, 
wherein said specific response Is in encrypted 
form, and said device includes means for decrypt- 
ing said specific response. 
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7. A security device according to Claim 5 or Claim 6, 
including a secure memory for storing one or more 
keys for said encryption process. 

8. A security device according to any preceding s 
Claim, wherein said interrupt means is incorporated 

in an Integrated circuit which also contains circuitry 
which exerts a control function in the apparatus. 

9. A security device according to Claim 8, wherein io 
said integrated circuit contains at least a major part 

of the control function of the apparatus. 

10. A security device according to any preceding 
Claim, wherein said security device includes timer is 
means which, on timing out. initiates said validation 
routine. 

11. A security device according to any preceding 
Claim, wherein said security device includes 20 
power-up detection means for detecting power-up 

of said apparatus, and non-volatile counter means 
for being Incremented at each power-up and for ini- 
tiating said validation routine when the count on 
said counter means reaches a predetermined 2s 
number or multiple thereof. 
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